/// <summary>Override to review certificate validation decisions.</summary> protected bool RemoteCertificateValidation(object sender, X509Certificate cert, X509Chain chain, int depth, VerifyResult result) { try { _ch.Verify(OpenSslCertificateHandler.OpenSslX509ToMonoX509(cert), default(ISender)); } catch { return(false); } return(result == VerifyResult.X509_V_OK || result == VerifyResult.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); }
public void ValidityTest() { var osch = new OpenSslCertificateHandler(); RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512); byte[] blob = rsa.ExportCspBlob(false); RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider(); rsa_pub.ImportCspBlob(blob); string ID = "brunet:node:PXYSWDL5SZDHDDXJKZCLFENOP2KZDMBU"; CertificateMaker cm = new CertificateMaker("US", "UFL", "ACIS", "David Wolinsky", "*****@*****.**", rsa_pub, ID); Certificate cert_0 = cm.Sign(cm, rsa); osch.AddSignedCertificate(cert_0.X509); osch.AddCACertificate(cert_0.X509); var ocert = OpenSslCertificateHandler.OpenSslX509ToMonoX509(osch.LocalCertificate); Assert.AreEqual(cert_0.X509.RawData, ocert.RawData, "local check"); Assert.IsTrue(CertificateHandler.Verify(ocert, ID), "Valid"); }
/// <summary></summary> public DtlsOverlord(RSACryptoServiceProvider private_key, CertificateHandler ch, PType ptype) : base(private_key, ch) { _osch = ch as OpenSslCertificateHandler; if (_osch == null) { throw new Exception("CertificateHandler is invalid type: " + ch.GetType()); } _it = new IdentifierTable(); _sas_helper = new IdentifierTableAsDtlsAssociation(_it); _rwl = new ReaderWriterLock(); _sender_to_sa = new Dictionary <ISender, DtlsAssociation>(); PType = ptype; _ptype_mb = ptype.ToMemBlock(); _ctx = new SslContext(SslMethod.DTLSv1_method); _ctx.SetCertificateStore(_osch.Store); _ctx.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, RemoteCertificateValidation); _ctx.UsePrivateKey(AsymmetricKeyToOpenSslFormat(_private_key)); _ctx.UseCertificate(_osch.LocalCertificate); _ctx.CheckPrivateKey(); _ctx.Options = SslOptions.SSL_OP_SINGLE_DH_USE; var rng = new RNGCryptoServiceProvider(); byte[] sid = new byte[4]; rng.GetBytes(sid); _ctx.SetSessionIdContext(sid); _ctx.SetCookieGenerateCallback(GenerateCookie); _ctx.SetCookieVerifyCallback(VerifyCookie); _ctx.Options = SslOptions.SSL_OP_COOKIE_EXCHANGE; UpdateCookie(); }
public DtlsOverlordClientServer(bool threaded, bool good_client, bool good_server, double noisy) { var server_ch = new OpenSslCertificateHandler(); if (good_server) { server_ch.AddSignedCertificate(X509); } server_ch.AddCACertificate(X509); Server = new DtlsOverlord(Rsa, server_ch, PType); ServerIn = new MockDataHandler(); Server.Subscribe(ServerIn, null); var client_ch = new OpenSslCertificateHandler(); if (good_client) { client_ch.AddCACertificate(X509); } client_ch.AddSignedCertificate(X509); Client = new DtlsOverlord(Rsa, client_ch, PType); ClientIn = new MockDataHandler(); Client.Subscribe(ClientIn, null); if (threaded) { ToServer = new ThreadedMockSender(null, null, Server, 1, noisy); ToClient = new ThreadedMockSender(ToServer, null, Client, 1, noisy); } else { ToServer = new MockSender(null, null, Server, 1, noisy); ToClient = new MockSender(ToServer, null, Client, 1, noisy); } ToServer.ReturnPath = ToClient; }
/// <summary>Creates an ApplicationNode and prepares it for connection to /// the overlay. For historical reasons it is linked to _node, _dht, /// _rpc_dht, and _bso.</summary> public virtual ApplicationNode CreateNode(NodeConfig node_config) { // Get a Node ID for the new Node AHAddress address = null; try { address = (AHAddress) AddressParser.Parse(node_config.NodeAddress); } catch { address = Utils.GenerateAHAddress(); } // Create the Node state StructuredNode node = new StructuredNode(address, node_config.BrunetNamespace); _shutdown.OnExit += node.Disconnect; IEnumerable addresses = IPAddresses.GetIPAddresses(node_config.DevicesToBind); SecurityOverlord so = null; // Enable Security if requested if(node_config.Security.Enabled) { if(node_config.Security.SelfSignedCertificates) { SecurityPolicy.SetDefaultSecurityPolicy(SecurityPolicy.DefaultEncryptor, SecurityPolicy.DefaultAuthenticator, true); } byte[] blob = null; using(FileStream fs = File.Open(node_config.Security.KeyPath, FileMode.Open)) { blob = new byte[fs.Length]; fs.Read(blob, 0, blob.Length); } RSACryptoServiceProvider rsa_private = new RSACryptoServiceProvider(); rsa_private.ImportCspBlob(blob); CertificateHandler ch = null; if(node_config.Security.Dtls) { ch = new OpenSslCertificateHandler(node_config.Security.CertificatePath, address.ToString()); } else { ch = new CertificateHandler(node_config.Security.CertificatePath, address.ToString()); } if(node_config.Security.SecureEdges) { node.EdgeVerifyMethod = EdgeVerify.AddressInSubjectAltName; } // A hack to enable a test for security that doesn't require each peer // to exchange certificates if(node_config.Security.TestEnable) { blob = rsa_private.ExportCspBlob(false); RSACryptoServiceProvider rsa_pub = new RSACryptoServiceProvider(); rsa_pub.ImportCspBlob(blob); CertificateMaker cm = new CertificateMaker("United States", "UFL", "ACIS", "David Wolinsky", "*****@*****.**", rsa_pub, "brunet:node:abcdefghijklmnopqrs"); Certificate cacert = cm.Sign(cm, rsa_private); cm = new CertificateMaker("United States", "UFL", "ACIS", "David Wolinsky", "*****@*****.**", rsa_pub, address.ToString()); Certificate cert = cm.Sign(cacert, rsa_private); ch.AddCACertificate(cacert.X509); ch.AddSignedCertificate(cert.X509); } if(node_config.Security.Dtls) { OpenSslCertificateHandler ssl_ch = ch as OpenSslCertificateHandler; so = new DtlsOverlord(rsa_private, ssl_ch, new PType(20)); node.GetTypeSource(new PType(20)).Subscribe(so, null); } else { so = new SymphonySecurityOverlord(node, rsa_private, ch, node.Rrm); node.GetTypeSource(PeerSecOverlord.Security).Subscribe(so, null); } so.Subscribe(node, null); } // Add Dht new TableServer(node); IDht dht = new Dht(node, 3, 20); RpcDhtProxy dht_proxy = new RpcDhtProxy(dht, node); // Setup Vivaldi if requested IRelayOverlap ito = null; NCService ncservice = null; if(node_config.NCService.Enabled) { ncservice = new NCService(node, node_config.NCService.Checkpoint); if (node_config.NCService.OptimizeShortcuts) { node.Ssco.TargetSelector = new VivaldiTargetSelector(node, ncservice); } ito = new NCRelayOverlap(ncservice); } else { ito = new SimpleRelayOverlap(); } // Create the ApplicationNode ApplicationNode app_node = new ApplicationNode(node, dht, dht_proxy, ncservice, so); // Add Edge listeners EdgeListener el = null; foreach(NodeConfig.EdgeListener item in node_config.EdgeListeners) { el = CreateEdgeListener(item, app_node, addresses); if(node_config.Security.SecureEdgesEnabled) { el = new SecureEdgeListener(el, so); } node.AddEdgeListener(el); } // Create the tunnel and potentially wrap it in a SecureEL el = new Relay.RelayEdgeListener(node, ito); if(node_config.Security.SecureEdgesEnabled) { el = new SecureEdgeListener(el, so); } node.AddEdgeListener(el); List<TransportAddress> RemoteTAs = null; if(node_config.RemoteTAs != null) { RemoteTAs = new List<TransportAddress>(); foreach(String ta in node_config.RemoteTAs) { RemoteTAs.Add(TransportAddressFactory.CreateInstance(ta)); } node.RemoteTAs = RemoteTAs; } // Add XmlRpc if(node_config.XmlRpcManager.Enabled) { if(_xrm == null) { _xrm = new XmlRpcManagerServer(node_config.XmlRpcManager.Port); } _xrm.Add(node, GetXmlRpcUri(app_node)); new RpcDht(dht, node); } if(node_config.PrivateNodeConfig != null && node_config.PrivateNodeConfig.Enabled) { CreatePrivateNode(app_node, NodeConfig.GetPrivateNodeConfig(node_config)); } return app_node; }
protected virtual StructuredNode PrepareNode(int id, AHAddress address) { if(TakenIDs.ContainsKey(id)) { throw new Exception("ID already taken"); } StructuredNode node = new StructuredNode(address, BrunetNamespace); NodeMapping nm = new NodeMapping(); nm.ID = id; TakenIDs[id] = nm; nm.Node = node; Nodes.Add((Address) address, nm); EdgeListener el = CreateEdgeListener(nm.ID); if(_secure_edges || _secure_senders) { byte[] blob = _se_key.ExportCspBlob(true); RSACryptoServiceProvider rsa_copy = new RSACryptoServiceProvider(); rsa_copy.ImportCspBlob(blob); string username = address.ToString().Replace('=', '0'); CertificateMaker cm = new CertificateMaker("United States", "UFL", "ACIS", username, "*****@*****.**", rsa_copy, address.ToString()); Certificate cert = cm.Sign(_ca_cert, _se_key); CertificateHandler ch = null; if(_dtls) { ch = new OpenSslCertificateHandler(); } else { ch = new CertificateHandler(); } ch.AddCACertificate(_ca_cert.X509); ch.AddSignedCertificate(cert.X509); if(_dtls) { nm.SO = new DtlsOverlord(rsa_copy, ch, PeerSecOverlord.Security); } else { nm.Sso = new SymphonySecurityOverlord(node, rsa_copy, ch, node.Rrm); nm.SO = nm.Sso; } var brh = new BroadcastRevocationHandler(_ca_cert, nm.SO); node.GetTypeSource(BroadcastRevocationHandler.PType).Subscribe(brh, null); ch.AddCertificateVerification(brh); nm.SO.Subscribe(node, null); node.GetTypeSource(PeerSecOverlord.Security).Subscribe(nm.SO, null); } if(_pathing) { nm.PathEM = new PathELManager(el, nm.Node); nm.PathEM.Start(); el = nm.PathEM.CreatePath(); PType path_p = PType.Protocol.Pathing; nm.Node.DemuxHandler.GetTypeSource(path_p).Subscribe(nm.PathEM, path_p); } if(_secure_edges) { node.EdgeVerifyMethod = EdgeVerify.AddressInSubjectAltName; el = new SecureEdgeListener(el, nm.SO); } node.AddEdgeListener(el); if(!_start) { node.RemoteTAs = GetRemoteTAs(); } IRelayOverlap ito = null; if(NCEnable) { nm.NCService = new NCService(node, new Point()); // My evaluations show that when this is enabled the system sucks // (node as StructuredNode).Sco.TargetSelector = new VivaldiTargetSelector(node, ncservice); ito = new NCRelayOverlap(nm.NCService); } else { ito = new SimpleRelayOverlap(); } if(_broken != 0) { el = new Relay.RelayEdgeListener(node, ito); if(_secure_edges) { el = new SecureEdgeListener(el, nm.SO); } node.AddEdgeListener(el); } BroadcastHandler bhandler = new BroadcastHandler(node as StructuredNode); node.DemuxHandler.GetTypeSource(BroadcastSender.PType).Subscribe(bhandler, null); node.DemuxHandler.GetTypeSource(SimBroadcastPType).Subscribe(SimBroadcastHandler, null); // Enables Dht data store new TableServer(node); nm.Dht = new Dht(node, 3, 20); nm.DhtProxy = new RpcDhtProxy(nm.Dht, node); return node; }